Hardening Claude Code: A Security Review Framework and the Prompt That Does It For You

The Problem

You’ve installed Claude Code. You’re shipping faster than ever. But have you stopped to assess what your AI coding assistant actually has access to?

Claude Code can execute shell commands, read your files, install packages, and connect to external services through MCP servers. It inherits your shell environment — including any exported API keys. Subagents spawn as separate OS processes and inherit all of that context. And if a prompt injection slips through a code comment, a package README, or an MCP server response, it executes with your permissions.

This isn’t theoretical. In the past year:

• CVE-2025–55284 demonstrated API key theft via DNS exfiltration from Claude Code itself

• The Rules File Backdoor used invisible Unicode in config files to poison Cursor and Copilot repositories

• The IDEsaster disclosure revealed 30+ CVEs across 10+ AI coding tools, resulting in 24 assigned CVEs

• The GlueStack supply chain attack compromised 17 npm packages with 1M+ weekly downloads

• Research showed AI assistants leaking credential-like strings from their context windows

Good frameworks exist — OWASP’s Top 10 for Agentic Applications (2026), OpenSSF’s Security-Focused Guide for AI Code Assistants, Trail of Bits’ Claude Code Configuration, the MAESTRO Framework from Cloud Security Alliance. But most of the guidance reads like a whitepaper. What I wanted was something I could actually run.

What I Built

After running a full security review of my own Claude Code environment, I found gaps I didn’t expect — credentials persisted in session transcripts, zombie processes holding authenticated API sessions, zero pre-execution security gates, unaudited MCP connections, and no plugin governance.

I fixed all of it using Claude Code itself, working iteratively through seven phases with my approval at each step. Then I extracted the process into a reusable prompt.

The prompt below is designed to be pasted directly into a new Claude Code session. It will assess your environment, propose protections, and implement them phase by phase — only with your explicit approval at each step.

The Seven Layers

The prompt implements a defense-in-depth approach across seven categories:

1. Security Assessment — Inventory your current state: processes, MCP servers, credentials, permissions, endpoint protections

2. Pre-Execution Gate — A PreToolUse hook that blocks dangerous commands before they execute (pipe-to-shell, destructive deletes, credential exfiltration patterns, permission bypass flags)

3. Supply Chain Protection — Package scanning, lifecycle script lockdown, CVE auditing

4. File-Level Malware Scanning — ClamAV with automated definition updates and scheduled scans

5. Credential Hygiene — Transcript scrubbing, snapshot pruning, credential removal from config files

6. MCP Server Audit — Transport type, version pinning, network exposure, and risk rating for each server

7. Governance — Managed settings to disable bypass-permissions mode and restrict plugin sources

Each layer addresses specific, documented attack vectors. The prompt explains what each protection does and honestly notes its limitations.

Important Caveats

Start with the foundation. Before any of this matters, verify your endpoint protections are active (EDR, network inspection, firewall/VPN). Do not run your daily workstation as an admin user. If your account has admin privileges during normal daily operations, every process you launch — including Claude Code and all its subagents — inherits those elevated permissions. A prompt injection that would be contained under a standard user account becomes a full system compromise under admin. Log in as a standard user. Elevate with sudo only when you need to install something, then drop back down.

This won’t stop prompt injection — but it’s a real improvement over nothing. Let’s be honest: hooks are pattern-matching shell scripts, not a security boundary. A sophisticated prompt injection can still find ways around them. Anthropic and Trail of Bits both describe hooks as “guardrails, not walls.” But here’s the thing — before running this prompt, you likely have zero pre-execution gates. No command filtering. No credential scanning. No supply chain checks. No malware scanning on downloaded files. Going from nothing to a layered set of detections and blocks is a meaningful improvement. It won’t catch everything, but it will catch the obvious and the accidental — and that’s a large percentage of real-world attacks.

Just run it. Paste the prompt into a fresh Claude Code session and see what it finds. You don’t need to complete all seven phases in one sitting — do what you can with the time you have, then come back and run it again. The prompt is designed to pick up where you left off. Each phase stands on its own.

Read the documentation it generates. Phase 7 produces a security document that maps protections to attack vectors, lists every file it created, and lays out a maintenance schedule. Read it. That’s where you start to see how the pieces connect — how the PreToolUse hook covers the exfiltration patterns from CVE-2025-55284, how the supply chain scanning addresses GlueStack-style attacks, how credential scrubbing closes the gap that Knostic identified. Understanding the why behind each layer is what turns a one-time hardening exercise into an ongoing security practice.

Adapt it to your environment. The prompt is a framework, not a prescription. Your MCP servers, package managers, and operating system will differ. Let Claude Code discover what’s relevant and propose appropriate protections.

Share what you find. If you run this and discover something unexpected — a credential in a place you didn’t anticipate, a zombie process you didn’t know about, an MCP server with more access than it needs — consider sharing that pattern (without the specifics) with the community. The attack surface for AI coding tools is new territory, and practitioners sharing what they’re actually seeing is how the field matures.

The Hardening Prompt

Prerequisites: Homebrew (macOS) or apt (Linux). ~15 minutes. Review each phase before approving. First run typically surfaces findings you didn’t expect — that’s the point.

I want you to harden my Claude Code development environment with a layered
security approach. Work through these phases iteratively, confirming each
before moving to the next. For each phase, tell me what you're going to do,
wait for my approval, then implement it.

## Phase 1: Security Assessment
- Check my OS, user privilege level (am I admin?), and existing endpoint
  protections (EDR, network inspection, VPN, firewall)
- List all running Claude Code processes, their resource usage, and identify
  any zombies (0% CPU, running >2h)
- Inventory my MCP servers from ~/.claude.json and any project .mcp.json files
- Check for plaintext credentials in: .claude/settings.local.json, .env files,
  MCP configs, shell history, shell snapshots (~/.claude/shell-snapshots/)
- Check my current Claude Code permission mode and review settings.local.json
  for stale permission entries
- Report findings as a security posture summary with risk ratings

## Phase 2: Pre-Execution Gate (PreToolUse Hook)
Create .claude/hooks/security-precheck.sh that blocks:
1. Dangerous flags: --dangerously-skip-permissions, --no-verify, --force
2. Pipe-to-shell: curl|bash, wget|sh patterns
3. Sensitive directory deletion: rm -rf on /, ~, $HOME, .claude, .ssh, .gnupg
4. World-writable permissions: chmod 777, chmod a+rwx
5. Credential exfiltration: curl/wget/nc with API_KEY, TOKEN, PASSWORD, SECRET

Output {"decision":"block","reason":"..."} when blocking, exit 0 when allowing.
Wire into settings.local.json hooks.PreToolUse for Bash matcher.

## Phase 3: Supply Chain Protection
- Install Socket CLI for npm supply chain scanning
- Configure bun/npm lifecycle lockdown (block postinstall scripts)
- Install pip-audit via pipx for Python CVE scanning
- Add Socket CLI check to the PreToolUse hook for npm/bun install commands
- Run initial scans and report findings

## Phase 4: File-Level Malware Scanning
- Install ClamAV, configure freshclam for auto-updates
- Create PostToolUse hook (.claude/hooks/security-scan.sh) that scans files
  after curl/wget/download commands and flags package installs
- Create scheduled scan script for Downloads and inbox directories
- Set up launchd/cron for virus updates (2x daily) and scans (2x daily)

## Phase 5: Credential Hygiene & Session Cleanup
- Scan all session transcripts for credential patterns and scrub them
- Create .claude/hooks/session-cleanup.sh that:
  - Kills zombie processes (0% CPU, >2 hours)
  - Prunes shell snapshots older than 7 days
  - Scrubs credentials from transcripts
  - Reports session count and storage
- Schedule 3x daily via launchd/cron
- Remove any credentials from settings.local.json and MCP configs

## Phase 6: MCP Server Audit
For each configured MCP server, assess:
- Transport type (stdio vs HTTP), source, version pinning
- Network exposure and inspection coverage
- Lifecycle script protections
- Rate risk as LOW/MEDIUM/HIGH with recommendations

## Phase 7: Governance & Documentation
- Create managed settings template disabling bypass-permissions and restricting
  plugins to official marketplace
- Provide sudo commands for system-level installation
- Create security documentation with:
  - Attack surface table with risk ratings
  - File inventory of all security artifacts
  - Maintenance schedule (automated + manual)
  - Checklists for new MCP servers and quarterly reviews

Throughout all phases:
- Explain what each protection addresses and its limitations
- Don't install anything without my approval
- Log all actions
- Run a final verification pass confirming everything is wired and active

After You Run It

Start with the Phase 1 security posture summary. If it found plaintext credentials or zombie processes, those are your quick wins — immediate risk reduction with zero architectural decisions. The PreToolUse hook (Phase 2) is the single highest-value addition: it goes from zero command filtering to active blocking of known-dangerous patterns. Everything after that builds additional layers.

When you’ve completed a run, re-read the security documentation from Phase 7. It ties everything together — which attack vectors each protection addresses, what’s automated versus manual, and where to focus your next pass. That document is your ongoing reference, not just a one-time deliverable.

Further Reading

• Anthropic Engineering: “Making Claude Code More Secure and Autonomous” — sandboxing architecture

• Anthropic: Claude Code Security Documentation, Hooks Reference, SDK Permissions

• Trail of Bits: claude-code-config and claude-code-devcontainer (GitHub)

• OWASP: Top 10 for Agentic Applications 2026

• OpenSSF: Security-Focused Guide for AI Code Assistant Instructions

• Cloud Security Alliance: MAESTRO Framework

• Cisco/CoSAI: Project CodeGuard

• Palo Alto Unit 42: MCP Attack Vectors

• Microsoft: Protecting Against Indirect Injection Attacks in MCP

• Pillar Security: Rules File Backdoor (Cursor/Copilot, March 2025)

• Embrace The Red: CVE-2025-55284 — Claude Code DNS Exfiltration

• Cymulate: CVE-2025-54794/54795 — Claude Code Path Bypass

• Knostic: Claude/Cursor .env Secret Leakage

• The Hacker News: IDEsaster — 30+ AI Coding Tool Flaws (December 2025)

• Aikido Security: GlueStack npm Supply Chain Attack (June 2025)

---

Tim McAllister is Sr. Director of Digital Trust Specialists at DigiCert, focused on device identity, compliance, and securing AI-assisted development workflows.